Date: Thu, 16 Jan 1997 11:16:49 -0200 (EDT) From: Joao Carlos Mendes Luis <jonny@mailhost.coppe.ufrj.br> To: nate@mt.sri.com (Nate Williams) Cc: ejs@bfd.com, nate@mt.sri.com, phk@freebsd.org, current@freebsd.org Subject: Re: ipfw cannot do this... Message-ID: <199701161316.LAA05573@gaia.coppe.ufrj.br> In-Reply-To: <199701151919.MAA06300@rocky.mt.sri.com> from Nate Williams at "Jan 15, 97 12:19:40 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
#define quoting(Nate Williams)
// > > > I just found out one thing we need in ipfw, the ability to inverse the
// > > > sense of a rule:
// > > >
// > > > ipfw add deny not ip from 140.145.0.0 to any via ed0
// > > > ipfw add deny not ip from any to 140.145.0.0 via ed1
// > > > ^^^
// > > > ipfw add allow tcp from any to any 23
// > > > ipfw add allow tcp from any to any 25
// > > > ...
// > > >
// > > > any takers ?
// > >
// > > I'm not sure I follow what you want. What exactly are you trying to do?
// >
// > As someone that wants something like this, I think I can answer. Quite a
// > few times, I've wanted to deny everything but a certain address range, and
// > then further restrict that address range.
I'd like this !!!
//
// Why not 'add' acceptance hosts and then restrict everything after that.
The acceptance list could be too big to be useful.
For example, how can I deny spoofing from a subnet ?
The standard rc.firewall suggests the follwoing piece of code:
/sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif}
/sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif}
But this would probably be better:
/sbin/ipfw add deny all from not ${inet}:${imask} to any in via ${iif}
/sbin/ipfw add deny all from ${inet}:${imask} to any in via not ${iif}
The second line in the first piece of code does not prevent all spoofing.
// Since ipfw goes until it gets a match, it'll work fine that way.
//
// This is how I'm doing it now.
//
// # Allow traffic to/from machine 1.2.3.4 only
// ipfw add allow tcp from 1.2.3.4 to any via ed0
// ipfw add allow tcp from any to 1.2.3.4 via ed0
// ipfw add deny log tcp from any to any via ed0
What if you want to restrict access based on tcp port ?
Jonny
--
Joao Carlos Mendes Luis jonny@gta.ufrj.br
+55 21 290-4698 ( Job ) jonny@cisi.coppe.ufrj.br
Network Manager UFRJ/COPPE/CISI
Universidade Federal do Rio de Janeiro
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701161316.LAA05573>